I’m feeling a sense of deja vu right now. Back in August, Oracle had to release an emergency patch when a zero-day exploit was found in Java. Then, at the beginning of December a new zero-day exploit started being sold for a five figure sum. Jump to just a few days ago and another zero-day exploit and emergency patch were released. And now guess what? Yet another Java zero-day exploit is being sold for a five figure sum.

Security vendors warned that even with the latest patch, Java remained vulnerable, and this latest exploit proves them right. It’s being sold on a private cybercrime forum at a cost of $5,000, with two sales available netting the seller $10,000. Chances are, he’s already collected the money and the exploit is in use.

The exploit is valuable because not only is it usable on the most up-to-date version of Java, which could remain vulnerable for weeks, if not months, it is although thought to be brand new and not part of any exploit pack, which can cost up to $10,000 per month to use.

Our advice therefore remains the same: disable or uninstall Java on your machine unless you have a real need for it. Chances are you don’t, and it’s a leftover from an automatic install or just software that came pre-installed on your PC or laptop.

With the repeated release of new exploits, and a fix time by Oracle quoted in years by those in the security community, the situation isn’t going to get any better anytime soon.